Kubernetes

Configuring Active Directory integration with VMware PKS Ops Manager using VMware Identity Manager (vIDM)

04/27/2018 by William Lam 1 Comment

When configuring Ops Manager for VMware Pivotal Container Service (PKS) from an Authentication standpoint, you can either chose local authentication or use an external identity provider. The former means you are managing local users that reside within the User Account and Authentication (UAA) component of Ops Manager, which may be okay for a lab or proof of concept environment. However, for a Production deployment, most customers prefer to use their enterprise directory services which is typically Microsoft Active Directory.

Ops Manager can integrate with a number of external identity providers as long as it can speak SAML. For VMware customers, the preferred identity provider solution is VMware Identity Manager (vIDM) which not only supports Active Directory, but can also support a number of other directory service integrations like Active Directory Federation Services (ADFS) as example. Since vIDM supports SAML-based authentication, we can configure Ops Manager to use vIDM which also means we benefit from all of the enterprise Single Sign-On capabilities that vIDM delivers, including things like multi-factor authentication which can provide an additional layer of security when connecting to your PKS infrastructure.

Since there is currently no documentation on how to set this up, with the help of my colleague Blair Fritz and Assaf from the vIDM Engineering team, we have documented the process below which outline the required steps to integrate Ops Manager with vIDM.

Getting started with VMware Pivotal Container Service (PKS) Part 9: Logging

04/26/2018 by William Lam Leave a Comment

In this blog post, we will walk through configuring the various components within a PKS deployment such as vSphere (vCenter Server & ESXi), NSX-T (Manager, Controllers & Edges), BOSH and PKS Control Plane to forward their logs to an external syslog system such as a VMware vRealize Log Insight (vRLI) which includes 25 free OSI licenses for any vSphere customer.

If you missed any of the previous articles, you can find the complete list here:

Getting started with VMware Pivotal Container Service (PKS) Part 8: Monitoring Tool Overview

04/24/2018 by William Lam 1 Comment

I had received a few questions about the monitoring capabilities for VMware PKS and some of the VMware tools that can help provide visibility and audibility of the platform. Different consumers of PKS will care about different things, as you can imagine the cloud admin/platform operator is primarily concerned with the underlying infrastructure (compute, storage, network) including the PKS Management components. Developers want to know how their application is doing and if there are any issues, how to quickly access the information they need to debug and fix the problem.

Logging

Complete end-to-end logging is a mandatory requirement for many customers, especially when it comes to dealing with large and complex application deployments. Being able to provide centralized access of all logs to both operators and developers is key to be able to quickly triage and resolve an issue. Remote syslog can be configured throughout the PKS stack from the infrastructure and going all the way up to the application if developers decides to instrument logging and sending it to the same syslog target. VMware customers can take advantage of vRealize Log Insight (vSphere customers receive 25 free OSI licenses) which is a on-premises log management solution. If you prefer a SaaS-based solution, VMware also has Log Intelligence which can be used to service both premises infrastructure as well as other cloud hosted deployments.

Infrastructure Monitoring

For Cloud Admins/Platform Operators, vRealize Operations Manager (vROPs) will be the tool of choice which many of our customers are already familiar with. vROps provides analytics, capacity management and alerting for all of your underlying compute, storage and networking infrastructure. This information can be trended over time and provide help proactive identify any anomalies within the infrastructure before they arise. There are a number of Management Packs that can be used to provide easy to consume and out of the box dashboards such as vSphere which gives you information about your vCenter Server and the ESXi hypervisor, NSX-V as well as NSX-T for networking/security and core storage including VSAN.

Application Monitoring

Unlike traditional applications, Cloud Native Apps require a completely different way of monitoring to ensure Developers can easily access the important information they require for development purposes. VMware Wavefront is a SaaS-based solution that is metrics monitoring and analytics platform that can handle the high-scale requirements of modern cloud-native applications. Not only can Developers instrument their own applications and forward that to Wavefront, but Wavefront also provides complete visibility into a Kubernetes (K8S) deployment from namespaces, nodes, pods and all the way down to the individual containers.

Here is a diagram to help illustrate the visibility that each solution provides:

In the next three posts, I walk through the configuration steps to setup vRLI, vROPs and Wavefront with VMware PKS.

If you missed any of the previous articles, you can find the complete list here:

Getting started with VMware Pivotal Container Service (PKS) Part 7: Harbor

04/10/2018 by William Lam 1 Comment

Now that we have a functional PKS deployment, an optional but very useful add-on to deploy and integrate with PKS is the VMware Harbor solution. Harbor is an Enterprise-class container registry that customers can run within their own Datacenter to securely store and provide access to container images used by their development teams. The process of deploying Harbor is similiar to PKS. You will need to download the Harbor Tile from Pivotal Network, import that into Ops Manager and then configure and deploy using the same interface.

If you missed any of the previous articles, you can find the complete list here:

How to access the Kubernetes Dashboard UI for a VMware PKS Managed K8S Cluster?

04/05/2018 by William Lam Leave a Comment

As some of you may have noticed I have been spending some time working with VMware PKS and Google's Kubernetes (K8S). In fact, I have an entire blog series which you can find below if you are interested.

While consuming one of my PKS managed K8S Cluster, I wanted to access the built-in K8S Web UI Dashboard (which is installed by default as part of the K8S setup by PKS) but I was not able to find a way to access it. After speaking with Michael West, who works in our CNABU, I found out that the K8S Dashboard currently does not support OAuth Tokens which prevents us from easily accessing the UI. However, there is a workaround which involves using an SSH tunnel and leveraging K8S proxy to proxy the Dashboard UI to the K8S Master Node which we can then access from our desktop machine.

Step 1 - We need to configure port forwarding using an SSH Tunnel, depending on the OS type that you wish to connect to the Dashboard UI, take a look at the specific steps below.

Windows - You can use any number of SSH Clients, I normally use Putty. Enter the username/hostname as you normally would but before connecting, expand Connection->SSH->Tunnels and add a new forwarded port with source port being 8001 and destination being localhost:8001. Once you have completed this step, you can connect like you normally would.

MacOS/Linux - You can simply use the built-in ssh client and run the following:

ssh [email protected] -L 8001:127.0.0.1:8001 -N

Note: If the system that you are trying to access the Dashboard UI also has kubectl installed, then an SSH tunnel is not required and you can simply go straight to Step 2.

Step 2 - Once you have successfully SSH'ed to your PKS Client VM, you can then run the following command to start the K8S proxy:

kubectl proxy

Step 3 - To access the K8S Dashboard, open a browser and connect to http://localhost:8001/ui which should take you to login page. From here, you will need a copy of the specific K8S Cluster configuration file (stored in ~/.kube/config which can be pulled using pks get-credentials [NAME-OF-PKS-CLUSTER]) and provide that as shown in the screenshot below to login to dashboard.

After signing in with the K8S Configuration file, you should be taken the dashboard for your specific K8S Cluster. If you do not see any of your pods, make sure to toggle the Namespace from the system "Default". Below is a screenshot of my K8S Cluster which was deployed with our Yelb application as shown in Part 6 of my VMware PKS series.

Getting started with VMware Pivotal Container Service (PKS) Part 6: Kubernetes Go!

04/04/2018 by William Lam 7 Comments

In this article, we will walk through the two workflows, one from the perspective of the Cloud/Platform Operator and how to create a new PKS Cluster to how it will be consumed by the Developer which is simply accessing the Kubernetes API endpoint and does not have to know anything about how it was provisioned or even access to the underlying PKS infrastructure. I think most of you have probably been waiting for this part of the series to see PKS in action and demonstrate how easy it is to manage and consume K8S Clusters.

If you missed any of the previous articles, you can find the complete list here: